this post was submitted on 27 May 2026
718 points (99.0% liked)

Technology

84965 readers
3555 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related news or articles.
  3. Be excellent to each other!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
  9. Check for duplicates before posting, duplicates may be removed
  10. Accounts 7 days and younger will have their posts automatically removed.

Approved Bots

founded 3 years ago
MODERATORS
L3s@lemmy.world
enu@lemmy.world
technopagan@lemmy.world
L4s@lemmy.world
L3s@hackingne.ws
718
Microsoft's GitHub bans security researcher who posted zero-day Windows exploits because company 'ruined their life' — expert claims action is vindictive and promises further retaliation (www.tomshardware.com)
submitted 1 day ago by throws_lemy@reddthat.com to c/technology@lemmy.world
111 comments fedilink hide all child comments
top 50 comments
sorted by: hot top controversial new old
[–] someone@lemmy.today 1 points 3 minutes ago

This is extremely unfair to MicroSlop.

[–] Poem_for_your_sprog@lemmy.world 11 points 1 hour ago (1 children)

What even is the headline

[–] jj4211@lemmy.world 8 points 55 minutes ago

That was my thought, what a absolute mess of a 'sentence'.

[–] BlackLaZoR@lemmy.world 27 points 4 hours ago* (last edited 4 hours ago) (1 children)

Microsoft closed the case after the reporter refused to submit a video of the exploit

They don't have any actual fucking security experts there, so they require video proof that ape will understand.

Posting zero day exploits on github is a shit move. But Microsoft should be happy that this guy posted it on github rather than selling it on the black market.

Banning his guthub account won't make zero day vulnerabilities go away ffs.

[–] jjlinux@lemmy.zip 4 points 1 hour ago (1 children)

I am so calling it 'guthub' from now on.

[–] BlackLaZoR@lemmy.world 1 points 55 minutes ago

😅

[–] sonofearth@lemmy.world 14 points 6 hours ago* (last edited 6 hours ago) (1 children)

Didn't Google also recently used their stupid AI to find exploits in FFMPEG and then blackmailed them to fix it before deadline or they will release them to the public? If banning a dev for such "act" is right, then banning the company should also be right. Ban all of them.

[–] echodot@feddit.uk 7 points 5 hours ago (1 children)

There was a protocol for reporting security vulnerabilities. Of course some companies don't follow the protocol when vulnerabilities are reported to them, but that's their problem.

You report the problem and then you wait 1 month, if the company still hasn't fixed the issue by then, then you publicly announce it.

[–] jjlinux@lemmy.zip 1 points 1 hour ago

Unless it is an open source piece of software, any vulnerability I find will be publicly posted while I remove all software using it from all my devices and infrastructure.

[–] prenatal_confusion@feddit.org 24 points 13 hours ago (1 children)

Uniformed other than a few snippets from the blog but the researcher doesn't seem to be in a good place mentally. Understandable if what they claim is true, making them unreliable if it isn't.

Not victim blaming, but things aren't automatically true because they are anti Ms.

[–] Aqarius@lemmy.world 3 points 1 hour ago (1 children)

From what I've heard, the POC worked.

[–] jj4211@lemmy.world 1 points 32 minutes ago

I think it's less being uncertain about the vulnerability and more about being uncertain about all the other drama surrounding it.

This Dormann fellow paints a believable picture of MSRC as an organization ruined by mismanagement and left incompetent and dysfunctional. A very banal scenario of failure that is familiar to anyone with experience with big businesses. Eclipse seems to see a more malicious intent and assumes that MSRC had it out for Eclipse personally from the onset for... some reason.

Eclipse may have found real stuff, but the communication style is a bit unhinged so it's hard to evaluate the surrounding drama. This unhinged communication style combined with a bureaucratic MSRC could lead to them not being able to understand Eclipse's attempt to explain.

The question is whether Eclipse was unhinged from the onset or understandably driven off the deep end by malicious treatment by MSRC. Both scenarios are believable, hence the sensible take away that we have one side of the story and while we should recognize that, we must also consider that an alternate scenario played out.

[–] placebo@lemmy.zip 33 points 17 hours ago

I'm surprised admins found a window large enough when github wasn't down to ban the researcher.

[–] FauxLiving@lemmy.world 80 points 19 hours ago

I feel that companies like Microsoft have forgotten that bug bounties and ethical reporting are the compromise where they agree to pay a fair amount for the bugs and are given time to fix them and the security researcher forgoes the 10x price they could get on the black market.

Given the rise in mercenary hacking/spyware corporations, the bug researchers could probably get way more money through those alternate, and still legal, channels.

So I hear.

[–] super_user_do@feddit.it 19 points 15 hours ago (1 children)

This is a cartoonish level of evil by Microsoft blud

[–] Aqarius@lemmy.world 1 points 1 hour ago

I mean, the cartoonish evil was making the backdoor in the first place. This is just inept.

[–] NotMyOldRedditName@lemmy.world 33 points 17 hours ago* (last edited 17 hours ago) (1 children)

Is this the bitlocker backdoor? That's not an exploit / zeroday

Thats making a backdoor be known.

[–] freely1333@reddthat.com 17 points 14 hours ago (1 children)

Well the thing is it’s now been zero days since they had to write a new backdoor.

load more comments (1 replies)
[–] magnetosphere@fedia.io 120 points 21 hours ago (1 children)

“Hey, let’s piss off the security expert who’s really good at finding flaws in our products. There’s literally no downside.”

[–] Chais@sh.itjust.works 79 points 20 hours ago (1 children)

"Oh, the one who just published two exploits on our product, after we fucked them over during the responsible disclosure process? Great idea! What are the chances they'll find another one, right?

[–] Bazoogle@lemmy.world 37 points 19 hours ago

He's done more than two. This was his second round of releases. He was also the one that found the vulnerability in Windows Defender.

[–] qaz@lemmy.world 57 points 19 hours ago (19 children)

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA512

Okay,

So let me get this straight, when I actively asked you to communicate with me, you refused, humiliated me and made sure to insult me in front of people.

You defame me in public with your CVE-2026-45585 advisory even though you literally deleted the Microsoft account I used to report bugs to you with and I got zero pennies from doing so and I still happily did like an idiot.

Now you take the courtesy to flag my github account and wipe it out of the public, just like that ? You are proving to everyone that you actively escalating this conflict but I'm done begging you.

I might sound like crazy idiot who is whinning around but I have proof for every single word I said, I just can't release it yet. Why ? Microsoft still has chains in my hands, it's been like this for years and I just can't stay silent anymore. I hope I can release the documents soon.

Mark this date July 14th, I will make sure your bones are shattered that day. Nothing will be released this June (or maybe I will release smtg, depending on circumstances).

Also,

CVE-2026-45498 is UnDefend

CVE-2026-41091 is RedSun

New GitLab account,

https://gitlab.com/nightmare-eclipse

-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQRJTvAf/AWVhAKEeb7FFoRCS0/SbAUCahGg+gAKCRDFFoRCS0/S

bBMIAPsEczivsL71pbJizJHHlNNOf9guPAFFshJhhkwrDrwZ5wD/Vz6Z+d6vSvhQ

uVrEh4lPM84Q8+J56RLa50Zp46QLkAY=

=8wON

-----END PGP SIGNATURE-----

https://deadeclipse666.blogspot.com/

Their account on GitLab is already blocked https://gitlab.com/nightmare-eclipse

[–] drmoose@lemmy.world 1 points 4 minutes ago

What's the context here?

[–] BlackLaZoR@lemmy.world 2 points 4 hours ago

Can't wait for the drama to escalate. Maybe he sells these on black market for millions? Who knows. Banning his account is like pouring salt on the wound.

load more comments (17 replies)
[–] bamboo@lemmy.blahaj.zone 58 points 20 hours ago (5 children)

Microsoft has been mum on any details about these matters, so it's hard to tell if the situation is about an uncooperative researcher who doesn't follow standard disclosure rules or a company being difficult about security reports. Regardless, the move to ban Eclipse's GitHub account makes for poor optics, as it is being heavily criticized, and ultimately achieves nothing for security, since the code is out there anyway.

Classic Streisand effect. Just two years ago Satya Nadella publicly announced they're prioritizing security above all else, but now have nothing to say about these exploits and are trying to silence the researcher? Viewing from the sidelines, it did seem a bit reckless how Eclipse was dropping these as zero days, but Microsoft's actions speak louder than words and they probably didn't pay for the bounties.

load more comments (5 replies)
[–] 9point6@lemmy.world 204 points 1 day ago* (last edited 1 day ago) (27 children)

Man, Microsoft just keeps footgunning this one.

Every new exploit, they clearly have a meeting and convince themselves "that's gotta be the last of it, right?"

So the next day-after-patch-tuesday rolls around and lo and behold, this guy drops some more nukes on their reputation as far as their most important customer demographic are concerned (corporate IT)

Given this genuinely does seem to stem from Microsoft mishandling this guy, why the fuck do they keep escalating

[–] BrightCandle@lemmy.world 112 points 1 day ago

Puts a lot of evidence towards his claims that Microsoft was behaving badly from the outset and the reason why he started doing this. They keep escalating. Its a war they started.

load more comments (26 replies)
[–] atrielienz@lemmy.world 134 points 1 day ago (2 children)

If the guy exposing the exploits is the be believed, they notified MS (or attempted to) and were ignored and then actively rebuffed. Then MS deleted the account (and the proof that this person actually reported these vulnerabilities/bugs).

Even if this person is lying I'm more likely to believe MS is the bad guy here. It seems like bullying to me. That and an attempt to mask the problems at the company because they have been getting a lot of bad press and are having trouble with the entirety of windows 11 which they forced on people and they keep breaking. The adoption rate of windows 11 being so bad also lends credence to what this person is claiming.

[–] CosmoNova@lemmy.world 1 points 5 hours ago

It sounds like the guy treats these issues in a very standard way by notifying the company beforehand with a note that the findings will be made publicly at a certain date. Microsoft ignores it and it inevitably gets published. That‘s standard procedure. Microsoft throwing a tantrum is the only extra thing here although „shooting the messenger“ seems to become more common these days with these findings.

load more comments (1 replies)
load more comments
view more: next ›